Mozilla releases Firefox & Thunderbird security updates
Mozilla has released updates for the Firefox web browser and for the Thunderbird news and email client, closing a number of critical security vulnerabilities in those open source products. The latest security and stability update to the 3.6.x branch of Firefox addresses a total of 14 security issues, including eight that Mozilla lists as critical, two high-level bugs and four rated as moderate. Critical bugs include a DOM attribute cloning issue, problems related to malformed PNG images, a CSS array index integer overflow bug, errors in NodeIterator, a dangling pointer problem and various memory safety hazards, most of which could possibly lead to the execution of remote code. The Mozilla development team have also released Firefox 3.5.11 to address the same vulnerabilities.
The 3.1.1 update for Thunderbird closes one critical bug that could cause the email client to crash and five other issues across all platforms. The legacy version of Thunderbird has also been updated to 3.0.6 to address several critical issues. However, at the time of this writing, the Thunderbird 3.0.6 security advisories have yet to be published. Mozilla advises all users to upgrade to the latest releases as soon as possible.
Just a few days ago, Mozilla announced that it would begin to reward users who discover and report security vulnerabilities in its software with $3,000 for each verified report. Previously the reward, distributed under the Mozilla Security Bug Bounty Program which launched in 2004, has been limited to just $500. As part of the scheme, users that report vulnerabilities will also receive a free T-shirt.
More details about the updates can be found in the Firefox 3.5.11 and 3.6.7, and Thunderbird 3.0.6 and 3.1.1 release notes. Firefox 3.5.11 and 3.6.7, and Thunderbird 3.0.6 and 3.1.1 are available to download for Windows, Mac OS X and Linux. Alternatively, users can upgrade to the new versions, either by waiting for the automated update notification or by manually selecting "Check for updates" from the Help Menu.
Firefox and Thunderbird binaries are released under the Mozilla Firefox End-User Software License Agreement and Mozilla Thunderbird End-User Software License Agreement, and the source code is released under disjunctive tri-licensing that includes the Mozilla Public Licence, GPLv2 and LGPLv2.1.
Update: Mozilla has also released an update for its SeaMonkey "all-in-one internet application suite". The 2.0.6 update fixes a number of non-security-relevant crashes and addresses the same critical vulnerabilities closed in version 3.6.6 of Firefox. Further details can be found in the release notes. However, the SeaMonkey 2.0.6 security advisory has yet to be posted. SeaMonkey 2.0.6 is available to download for Windows, Mac OS X and Linux.
- Mozilla Foundation Security Advisories, Firefox and Thunderbird security advisories.
- Firefox 3.6.7 and 3.5.11 security updates now available, a Mozilla Developer Center blog post.
- Thunderbird 3.1.1 and 3.0.6 security updates now available, a Mozilla Developer Center blog post.